I have been trying to port over some infrastructure to K8S from a VM docker setup. But I cannot seem to reference the tls certificate and key properly within the K8S env.yaml
such that the container using the env
can use them correctly.
In a traditional VM docker setup the .env
file looks like this for referencing the tls cert key:
TLS_CERT_PATH=/tls/server.crt
TLS_KEY_PATH=/tls/server.key
In my K8S I create the tls cert key via:
kubectl create secret tls cl-tls --key "server.key" --cert "server.crt"
And I reference the tls cert key via within the env-configmap.yaml
via:
apiVersion: v1
kind: ConfigMap
metadata:
name: env-config
data:
TLS_CERT_PATH: "cl-tls"
TLS_KEY_PATH: "cl-tls"
I have additionally tried with no luck either:
kubectl create secret generic tls-cert --from-file="server.crt"
kubectl create secret generic tls-key --from-file="server.key"
With a env-configmap.yaml
:
TLS_CERT_PATH: "tls-cert"
TLS_KEY_PATH: "tls-key"
CodePudding user response:
You are mixing two different concepts.
- You want to make the
server.key
andserver.cert
files available to your pods, and want to reference them in your pod specification in the form ofPATH
variables. This is a separate implementation. LEGACY APPROACH - You want to convert the
server.key
andserver.cert
to asecret
object. And you want to use thesecret
in your pods to inject theserver.key
andserver.cert
information directly in the pod. KUBERNETES NATIVE APPROACH
Note: You do not need a
ConfigMap
in any case. (You should never useConfigMap
type for sensitive data anyway).
Procedure for Approach 1
- Put the
server.cert
andserver.key
in a directory on the worker node where your pod will run. Let's call it~/certs/
. - Mount this directory as a volume to your pods, with type
hostPath
. You can read more about them here. - Add
TLS_CERT_PATH: "~/.certs/server.cert"
andTLS_KEY_PATH: "~/.certs/server.key"
as environment variable to your pod. This will work as expected.
This is it. You do not need config maps or secrets and this approach will work. This is not a recommended approach since if you want to rotate the certificates when they are about to expire, you'll have to manually update the server.key
and server.cert
files on your node for the pod authentication to work. But this is how it will be done.
Procedure for Approach 2
- Create a
tls
type secret with yourserver.cert
andserver.key
files. (You're already doing this correctly). You can use this doc for more details. - Use that secret to inject the
server.cert
andserver.key
into your pods. You will mount this secret as a volume to your pod. And then you can reference the secret parameters as "files" in your pod specification. When secrets are used in this way the parameter name becomes a file at the mount point, and the parameter value becomes the contents of that file. You'll configure your pod specification with environment asTLS_CERT_PATH: "secret/mount/path/server.cert"
andTLS_KEY_PATH:"secret/mount/path/server.key"
. You can find the recipe to do that in the docs here.
Both approaches will work. Except this time, you can very easily rotate your TLS certificates by simply updating the Secret
object and the volume mount sync will automatically update it in all the pods that have it mounted. Understand that secrets are functionally equivalent to ConfigMaps
. Both are key/value pairs. It is just that Secrets
have special attributes and features that make them more suitable to be used for sensitive data.
Hope this helps!